The Netwok Layer IPv4 and IPv6 Part 2

Transcription

1 ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE The Netwok Layer IPv4 and IPv6 Part 2 Jean Yves Le Boudec

2 Contents 6. Host configuration 7. ARP 8. IP packet format, HL and TTL Textbook Chapter 5: The Network Layer 2

3 6. Host Configuration An IP host needs to be configured on each interface with IP address of this interface Mask of this interface IP address of default router IP address of DNS server Can be done manually, or automatically with IPv4 DHCP (Dynamic Host Configuration Protocol ) IPv6 DHCP stateful, SLAAC (stateless), DHCP stateless Same applies to routers connected to a provider IPv4 PPP IPv6 PPP, DHCP with Prefix Delegation 3

4 DHCP with IPv4 Configuration info is kept in central DHCP server, contacted by host when it needs an IP address; is commonly used with IPv4. Also works with IPv6 (with modifs called DHCP stateful). Problem: host cannot contact DHCP server since it is still does not have an IP address; Solution: router implement a DHCP Relay function. Two phase commit to avoid inconsistent reservations. Limited lifetime renewals DHCPv4 client (host) Discover Offer DHCPv4 relay (router) DHCPv4 server Request Ack DISCOVER <MAC addr of client> UDP, dest port = 67,srce port = 68 IPv4 dest addr = IPv4 srce addr =

5 The Point to Point Protocol (PPP) Why? allocate address automatically over telecom lines (modem, ADSL) link is point to point, no MAC address, DHCP not suitable How? Similar to (simpler than) DHCP PPPv4 for IPv4 PPPv6 for IPv6 5

6 Stateless Address Autoconfiguration (SLAAC) = Plug and Play Why invented: avoid configuring DHCP servers Fully automatic How it works : First host auto configures a link local address Second, host tries to add globally valid addresses by obtaining network prefix from routers if any present; Only for IPv6 6

7 SLAAC Step 1 IPv6 host determines a 64 bit host part using one of these methods Manually assigned, e.g. ::1 Derived from MAC address (modified EUI next slide) Randomly assigned Cryptographically generated address (CGA) by hashing the public key of the host 7

8 8 Host Part derived from MAC address: EUI (Extended Unique Identifier) 48 bits ff fe inserted in the middle bit 7 of MAC address is flipped modified EUI format 64 bits Q: Why is bit 7 flipped? A: Bit 7 is the g bit an EUI is defined by IEEE; a locally assigned EUI (i.e not derived from MAC address) has g bit equal to 1; this is inconvenient for IPv6 addresses. IPv6 uses the reverse convention: bit 7 of modified EUI is 1 for EUI derived from globally assigned MAC addresses, and 0 for manually assigned addresses (e.g. 2001:620:618:100::1).

9 SLAAC Step 2: Duplicate Test ff02::1:ff78:30f9 A sends a Neighbour Solication (NS) message to check for address duplication, sent to the Solicited Node Multicast Address. Any host that would have to same link local address listens to this multicast address 9

10 The Solicited Node Multicast Address SLAAC (and other protocols) use this multicast address obtained by adding last 24 bits of target IP address to ff02::1:ff00:0/104 A packet with such a destination address is forwarded by layer 2 to all nodes that listen to this multicast address Only for IPv6 IPv4 uses broadcast instead Target address Compressed Uncompressed 2001:620:618:1a6:001:80b2:f66:1 2001:0620:0618:01a6:0001:80b2:0f66:0001 Solicited Node multicast address Uncompressed Compressed ff02:0000:0000:0000:0000:0001:ff66:0001 ff02::1:ff66:1 10

11 SLAAC Step 3: Obtaining Network Prefix host A other host on-link router on-link A attempts to acquire its link local unicast address: fe80::0a00:20ff:fe78:30f9 1. Neighbour Solicitation, multicast to ff02::1:ff78:30f9 (dupl test) A accepts its link local unicast address: fe80::0a00:20ff:fe78:30f9 2. Router Solicitation, multicast to ff02::2 All routers on link A accepts its global unicast address: 2001:620:618:1ad:0a00:20ff:fe78:30f9 router response with prefix 2001:620:618:1ad (if M flag set : use DHCP instead) 11

12 Randomly Assigned Host Part Privacy concern: MAC address allows tracking a mobile node Randomly assigned Host Part can be used as alternative 7th bit of address must be 0 Host randomly computes one tentative host part Duplicate test is used to avoid (unlikely) collisions Has a limited lifetime Limited lifetime, renewed before expiration Successful Duplicate test Preferred timer expires Valid timer expires tentative preferred deprecated invalid - Deprecated address cannot be used to start new TCP connections - Host should obtain a new address 12

13 Stateless DHCPv6 Why invented: solve problem left by stateless auto configuration DNS server address is not provided to host by stateless autoconfiguration How: Stateless auto configuration is performed first Router response contains a flag = USE STATELESS DHCP Host sends a query to DHCP server to obtain missing info, such as DNS server address Why called stateless? A: DHCP servers does not keep state information A better solution? Router Advertisements indicate address of DNS server in an optional RA extension (RFC 6106) 13

14 DHCP server DHCP with Prefix Delegation DHCP Simpscom 2004:aaaa:bbbb:cc01:EUI R0 Lisa s Edge Router R0 SLAAC 2004:aaaa:bbbb:cc03:EUI C 2004:aaaa:bbbb:cc02:EUI B Why? A home (or enterprise) IPv6 router R0 is configured by ISP using DHCP. Local devices are autoconfigured from home router using e.g. SLAAC. Home router needs an IPv6 prefix for the entire home network. How? ISP DHCP server (delegating router) provides to home router not just its IPv6 address but also the network prefix that this router can delegate to its devices. This is called prefix delegation. This prefix may include the prefix of the link from ISP to R0 (RFC 6603). Compare to IPv4! Simpscom delegates 2004:aaaa:bbbb:cc00/56 to Lisa Lisa can create many subnets; e.g. 2004:aaaa:bbbb:cc02/64 and 2004:aaaa:bbbb:cc03/64 the subnet 2004:aaaa:bbbb:cc01/64 is excluded from the delegation For ISP, all of Lisa is one prefix: 2004:aaaa:bbbb:cc00/56 14

15 Solution DHCP server DHCP Lisa s Simpscom Edge Router 2004:aaaa:bbbb:cc01:EUI R0 R0 SLAAC 2004:aaaa:bbbb:cc03:EUI C 2004:aaaa:bbbb:cc02:EUI B Simpscom delegates 2004:aaaa:bbbb:cc00/56 to Lisa Lisa can create many subnets; e.g. 2004:aaaa:bbbb:cc02/64 and 2004:aaaa:bbbb:cc03/64 the subnet 2004:aaaa:bbbb:cc01/64 is excluded from the delegation For ISP, all of Lisa is one prefix: 2004:aaaa:bbbb:cc00/56 Answer: no NAT! if provider operates in this way, Lisa needs no NAT. All devices on Lisa s network have public IPv6 addresses. This is part of the IPv6 dogma, which says that NATs will not be used. But NATs may still be used for protection: keep local addresses private. 15

16 Multiple Addresses per Interface are the Rule with IPv6 A host interface typically has One or several link local addresses Plus one or several global unicast addresses The preference selection algorithm, configured by OS, says which address should be used as source address see RFC 3484 In contrast, there is usually only one IPv4 address per interface 16

17 Zone Index Identifies an interface inside one machine that has several interfaces typically visible in Windows machines Never inside an IP packet E.g. fe80::1%2 means: the destination IPv6 address fe80::1 on interface %2 17

18 Ipconfig example Wireless LAN adapter Wireless Network Connection: Physical Address : 10 0B A9 A DHCP Enabled : Yes Autoconfiguration Enabled.... : Yes Link local IPv6 Address..... : fe80::945c:d22c:b0e2:a885%16(preferred) IPv4 Address : (Preferred) Subnet Mask : Lease Obtained : mercredi 25 juillet :05:03 Lease Expires : mercredi 25 juillet :35:02 Default Gateway : DHCP Server : IAID = logical number of this interface, assigned by client DHCPv6 IAID : DHCPv6 Client DUID : E F0 DE F1 BE ED EB DNS Servers : Ethernet MAC address Identifies this host in the DHCP database NetBIOS over Tcpip : Enabled 18

19 IPv4 Link Local Addresses Some form of autoconfiguration also exists with IPv4 When host boots, if no DHCP and no configuration info available, it picks an IPv4 link local address at random in the /16 block Address duplicate test is performed by broadcast Allows to operate in routerless network («Dentist s Office», à la AppleTalk) but not in a general setting Implemented in Windows, not supported by the Linux version we use in the lab 19

20 a) When an IPv4 host uses DHCP, which of the following information does it acquire: A. its IP address; B. its subnet mask C. its default gateway address D. its DNS server address A. A B. A, B C. A, B, C D. A, B, C, D E. None of the above F. I don t know 20

21 b) When an IPv6 host uses SLAAC, the host part is A. Mapped from MAC address B. Randomly chosen C. Both of the above are possible D. None of the above are possible E. I don t know 21

22 c) With SLAAC an IPv6 host has A. A link local address and, if a router is present in the subnet, also a global unicast address B. If a router is present in the subnet a global unicast address and no link local address C. None of the above D. I don t know 22

23 Solution a) D b) C c) A 23

24 7. MAC Address Resolution Why? An IP machine A has a packet to send to a next hop B. A knows B s IP address (from routing table); A must find B s MAC address. How? On Ethernet, A sends an address resolution packet on the LAN. All hosts that have the IP address of B (in principle only B) respond with their MAC address. 24

25 MAC Address Resolution with IPv6 (NDP) 1 NS packet Dest IP address = ff02::1:ff66:1 Dest MAC address = 33:33:ff:66:00:01 A B C D :620:618:1a6:1:80b2:f01:1 08:00:20:71:0d:d :620:618:1a6:1:80b2:f66:1 00:00:d0:b3:d2:8d A has a packet to send to B = 2001:620:618:1a6:1:80b2:f66:1 This address is on the same subnet therefore A sends directly to B and looks for B s MAC address 1. A sends a Neighbour Solicitation (NS) packet using the Neighbour Discovery Protocol (NDP) containing the question: who has IP address B?. The IP destination address of this packet is a special multicast address (Solicited Node Multicast Address). The MAC address is derived from the multicast IP address. The NS packet is received by all hosts whose IP address has the same 24 bits as B (see next slide). 25

26 Dest IP address = 2001:620:618:1a6:1:80b2:f01:1 Dest MAC address = 08:00:20:71:0d:d4 Dest IP address = 2001:620:618:1a6:1:80b2:f66:1 Dest MAC address = 00:00:d0:b3:d2:8d 2 NA packet 3 e.g TCP packet A B C D :620:618:1a6:1:80b2:f01:1 08:00:20:71:0d:d :620:618:1a6:1:80b2:f66:1 00:00:d0:b3:d2:8d A B C D :620:618:1a6:1:80b2:f01:1 08:00:20:71:0d:d :620:618:1a6:1:80b2:f66:1 00:00:d0:b3:d2:8d 2. B responds with a Neighbour Advertisement (NA) packet, giving its MAC address. This NA packet is sent by B to A. 3. A reads NA, stores MAC address in its neighbour cache (also called ARP table) and can now send the data to B. The cache is refreshed whenever A receives a packet from B; it may expire after some timeout (e.g. 20 mn of inactivity). NA, NS packets are carried as ICMPv6 packets, next header =58 (0x3a), inside IPv6 packets. 26

27 27 Look Inside an NDP Neighbour Solicitation Packet Solicited Node Multicast Address corresponding to this IPv6 target address Neighbor Solicitation (=ARP Request)

28 MAC Address Resolution with IPv4 Similar, except the protocol is called ARP (Address Resolution Protocol) ARP packets are not IP packets but directly in Ethernet frame with Ethertype =ARP (86dd) NDP NS /NA are called ARP Request /ARP replies ARP request is broadcast to all nodes in LAN 28

29 Look inside an ARP packet Ethernet II Destination: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff) Source: 00:03:93:a3:83:3a (Apple_a3:83:3a) Type: ARP (0x0806) Trailer: Address Resolution Protocol (request) Hardware type: Ethernet (0x0001) Protocol type: IP (0x0800) Hardware size: 6 Protocol size: 4 Opcode: request (0x0001) Sender MAC address: 00:03:93:a3:83:3a (Apple_a3:83:3a) Sender IP address: ( ) Target MAC address: 00:00:00:00:00:00 (00:00:00_00:00:00) Target IP address: ( ) 29

30 ed2 in has a packet to destination address and needs to send an ARP. The ARP reply is A.... inside an Ethernet frame with source MAC address = 08:00:20:71:0d:d4 B.... inside an Ethernet frame with source MAC address = 00:00.0d:0d:9a:75 C.... inside an Ethernet frame with source MAC address = 00:00.0c:02:78:36 D. None of the above E. I don t know 00:00.0d:0d:9a:75 30

31 31 Solution Answer B: ed2 in sends an ARP for the next hop, which is in inr. The ARP reply is sent by in inr, with its MAC address on the same LAN as ed2 in. Note that the ARP reply packet also contains this same MAC address, namely 00:00.0d:0d:9a:75, in the text of the ARP reply.

32 32 Security Issues with ARP/ NDP ARP requests / replies may be falsified (ARP spoofing). Attacker will capture all packets intended to B (e.g. man in the middle attack) bogus NA

33 33 DHCP Snooping and Dynamic ARP Inspection can prevent ARP spoofing in LANs DHCP snooping = switch/ethernet concentrator/wifi base station observes all DHCP traffic and remembers mappings IP addr MAC addresses (DHCP is used to automatically configure the IP address at system startup) Dynamic ARP inspection: switch filters all ARP (or NDP) traffic and allows only valid answers removes broadcasts (IPv4) and multicasts (IPv6) Such solutions are deployed in enterprise networks, rarely in homes or WiFi access points

34 Secure NDP (SEND) What? Make NDP spoofing impossible by cryptographic means How? Host B has public/private key pair. EUI of B is a CGA (cryptographically assigned address) = hash of B s public key and IPv6 address prefix (and other fields such as counters). This binds B s address and its public key. NA message sent to A contains a signature (RSA) computed with B s private key. This proves that the message is sent by a system that has the private key that corresponds to the address, i.e. B (if the private key is kept secret). Not widespread yet requires a strong hash function. Problem is the inability to change the crypto function by patching. 34

35 A private/public key system such as RSA has two keys : one public and one private (secret). With RSA, a clear text message can be encrypted with the private key and decrypted with the public key (or vice versa). Let P be the public key that was used to generate B s address (using a hash function), and let p be the corresponding private key. Here, A can verify the NA by applying RSA decryption with the public key P. This proves that the NA was originated by a system that knows the private key p. A can also verify that B s EUI is derived from the public key P, since the hash algorithm is known and public. This proves to A that the NA was originated by a system that owns B s EUI. 35

36 M1 sends a packet to M3 for the first time since last reboot. A. M1 sends an NS /ARP packet for q.h1 B. M1 sends an NS / ARP packet for p.1 C. None of the above D. I don t know 36

37 37 Solution Answer B: Since M3 is not in the same subnet, M1 needs to find the MAC address of its default router, namely p.1. Note that the IP address of the default router such as p.1. is in M1 s configuration, but not the MAC address of the default router.

38 38 8. IPv6 Header

39 39 IPv4 Packet Format Hop Limit is called TTL (Time to live) in IPv4; however it is not a time but a hop count

40 40 Hop Limit (HL) / Time to Live (TTL) Why? Avoid looping packets in transient loops. If propagation time is small compared to transmission time, a single packet caught in a loop can congest the line. A B A B Transient loops may exist due to non instantaneous changes to routing tables. time How? Every IP packet has a field on 8 bits (from 0 to 255) (called HL for IPv6 / TTL for IPv4) that is decremented at every hop. When it reaches 0, packet is discarded. At source, value is 64 by default.

41 Traceroute Sends a series of packets (using UDP) with TTL = 1, 2, 3, tracert (windows) similar but uses ICMP Routers on the path discard packets and send ICMP error message back to source source learns address of router on the path by looking at source address of error message Tracing route to [2a00:1450:4008:800::1012] over a maximum of 30 hops: 1 1 ms <1 ms <1 ms cv ic dit v151 ro.epfl.ch [2001:620:618:197:1:80b2:9701:1] 2 <1 ms <1 ms <1 ms cv gigado v100.epfl.ch [2001:620:618:164:1:80b2:6412:1] 3 <1 ms <1 ms <1 ms c6 ext v200.epfl.ch [2001:620:618:1c8:1:80b2:c801:1] 4 1 ms <1 ms <1 ms swiel2 10GE 3 2.switch.ch [2001:620:0:ffdc::1] 5 <1 ms <1 ms <1 ms swils2 10GE 1 2.switch.ch [2001:620:0:c00c::2] 6 7 ms 7 ms 7 ms swiez1 10GE 2 7.switch.ch [2001:620:0:c03c::2] 7 8 ms 8 ms 7 ms swiez2 P2.switch.ch [2001:620:0:c0c3::2] 8 8 ms 8 ms 8 ms swiix2 P1.switch.ch [2001:620:0:c00a::2] 9 8 ms 8 ms 8 ms swissix.google.com [2001:7f8:24::4a] ms 34 ms 15 ms 2001:4860::1:0:4ca ms 14 ms 17 ms 2001:4860::8:0: ms 50 ms 17 ms 2001:4860::8:0:8f8e ms 24 ms 24 ms 2001:4860::8:0: ms 25 ms 25 ms 2001:4860::1:0:6e0f ms 24 ms 25 ms 2001:4860:0:1::4b ms 25 ms 25 ms ber01s08 in x12.1e100.net [2a00:1450:4008:800::1012] 41

42 Other fields Type of service / Traffic Class Differentiated Services (6bits) sort of priority eg voice over IP Used only in corporate networks Explicit Congestion Notification (2bits) see congestion control Total length / Payload length in bytes including header 64 Kbytes; limited in practice by linklevel MTU (Maximum Transmission Unit) every subnet should forward packets of 576 = bytes Protocol / Next Header = identifier of protocol Checksum 6 = TCP, 17 = UDP 1 = ICMP for IPv4, 58 = ICMP for IPv6 4 = IPv4; 41 = IPv6 (encapsulation = tunnels) 50 = ESP (encrypted payload) 51 = AH (authentication header) IPv4 only, protects header against bit errors Absent in IPv6 layer 2 and router hardware assumed to have efficient error detection ICMP is used to carry error messages 42

43 Look inside an IPv4 packet Ethernet II Destination: 00:03:93:a3:83:3a (Apple_a3:83:3a) Source: 00:10:83:35:34:04 (HEWLETT-_35:34:04) Type: IP (0x0800) Internet Protocol, Src Addr: ( ), Dst Addr: ( ) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) Total Length: 1500 Identification: 0x624d Flags: 0x04 Fragment offset: 0 Time to live: 64 Protocol: TCP (0x06) Header checksum: 0x82cf (correct) Source: ( ) Destination: ( ) 43

44 44 Look inside an IPv6 packet IPv6 ICMP for IPv6 (this is an NDP packet used for address resolution) solicited node multicast address

45 A host generates a packet with Hop Limit = 1 A. This packet is invalid B. This packet will never be forwarded by a bridge nor by a router C. This packet will never be forwarded by a bridge but may be forwarded by a router D. This packet will never be forwarded by a router but may be forwarded by a bridge E. None of the above is true F. I don t know 45

46 Solution Answer D This packet cannot be forwarded by a router because it would decrement the HL and obtain 0. It can be forwarded by a bridge because a bridge does not examine the IP header. Note that such a packet is perfectly valid. Sources put HL=1 when they want to be sure that the packet remains in the LAN. 46

47 Conclusion The goal of ARP/NDP is to find the MAC address corresponding to an IP address TTL/HL limits the number of hops of an IP packet DHCP is used to allocate IP address, network mask and DNS server s IP address 47

48 d) When an IPv6 host uses stateful DHCP, which of the following information does it acquire: A. its IP address; B. its subnet mask C. its default gateway address D. its DNS server address A. A B. A, B C. A, B, C D. A, B, C, D E. None of the above F. I don t know 48

49 e) When an IPv6 host uses SLAAC, which of the following information does it acquire: A. its IP address; B. its subnet mask C. its default gateway address D. its DNS server address A. A B. A, B C. A, B, C D. A, B, C, D E. None of the above F. I don t know 49

50 f) The 7th bit of the host part of this interface is A. 0 B. 1 C. It is impossible to determine it D. I don t know 50

51 g) An EPFL Assigned IPv6 Addresses with DHCPv6, stateful(except in lnternet Engineering Workshop) 51 = EPFL Network prefix Host part In the lnternet Engineering Workshop we use special addresses that are not part of the EPFL numbering plan Do you recognize something special in the host part? A. The MAC adress of this interface B. The IPv4 address of this interface C. Nothing special D. I don t know

52 52 Solution d) D e) D if DNS extension is supported in Router Advertisements, otherwise C f) A: The host part is 1:80b2:97a:0. The first 16 bit word is (in hexa) 1 (in binary) The 7th bit is 0 g) B: The host part is 64 bits, i.e. 1:80b2:97ca:1 The EPFL numbering plan says: for machines that have an IPv4 address as well, the host part is 1:<IPv4 address>:1 Here 80b2:97ca is the hexa representation of